Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Cloud, Containers, Orchestration Big Factors in BSIMM9

A converged architecture that brings independent software vendors, cloud vendors and IoT vendors together is reshaping the security landscape.

As software and applications increasingly head to the cloud, traditional enterprise software security initiatives are getting turned on their head. The push to the cloud, experts say, isn’t just taking applications and services off premises: It’s redefining how DevOps and traditional IT departments tackle security.

That’s the takeaway of Synopsys’ ninth annual Building Security in Maturity Model report (BSIMM9) released Tuesday. The report revealed an emerging new dynamic for software security professionals.

“The cloud is the tail that is wagging the software security dog,” said Gary McGraw, vice president of security technology at Synopsys.

He said that independent software vendors, Internet of Things vendors and cloud vendors are converging on a similar architecture, which is necessitating a similar approach to software security impacting all sectors of technology.

“We’ve heard a lot of hype over the years about cloud and how it’s going to change everything,” McGraw said. “What we’re finding in this year’s BSIMM is we are past the hype. People are actually doing real stuff. Software security is evolving past the hysteria to match real architectural needs.”

Driving that change are three new activities among the 120 firms participating in the annual BSIMM report. The BSIMM tracks 116 unique activities among 415,000 developers.

An industry migration of software and services to application containers running on cloud platforms such as AWS, Microsoft’s Azure and Google Cloud Services has forced the software security community to adopt management software for orchestrating complex systems.

“While cloud, containers and containerization are not new phenomenon, what is new is the use of cloud orchestration tools by DevOps,” McGraw said. He said software security groups are now forced to use orchestration tools for managing disparate and sprawling hybrid cloud environments.

This transition has taken some of the burden off of traditional system administrators and placed it on DevOps. The byproduct is more software to audit as DevOps problem solve the management of hybrid infrastructures with scripts to monitor processes such as software-based data backups, load balancing and patch management.

The BSIMM outlines a third activity – keeping tabs on all the moving parts (software supply chain). McGraw said as infrastructure, applications and services become virtualized the number of unique components that make up a network has skyrocketed.

“In a cloud architecture you can have pieces of functionality that are scripts, code and third-party services located all over the place in a highly distributed fashion. You have to keep track of which versions of what you’re using from who in your application,” he said.

Failing to efficiently manage software components has lead to serious and costly breaches as hackers look to find just one vulnerable component as a springboard to breach a company. The 2017 Equifax breach and the Struts vulnerability was one of the most costly breaches in corporate history.

McGraw said as the software security community pulls triple-duty tackling orchestration, software supply chain management and some traditional system admin tasks they have less to complaint about. “They no longer get to whine. Now they can just get out in front of these problems and solve them.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.